Cross-site Scripting (XSS) - Stored in zhongshaofa/easyadmin

Valid

Reported on

Sep 16th 2021


Description

Stored XSS in FileName allows for arbitrary execution of JavaScript

Proof of Concept

At Upload Management 
Upload File Image with filename : Sun'><img src=x onerror=alert(1)>set.jpg

Image Upload File

https://user-images.githubusercontent.com/31820707/133646077-b6a14692-fea3-4a37-95e7-eb4c4e6f9073.png

Image XSS Trigger

https://user-images.githubusercontent.com/31820707/133646262-b3cd6b88-90ab-4ba9-be98-c6391cf53d75.png

Impact

If a normal user account can upload this file, then when admin accesses this Upload Management page XSS will be triggered from which attacker can steal admin's cookie.

We have contacted a member of the zhongshaofa/easyadmin team and are waiting to hear back 3 months ago
Mr.Chung
3 months ago

Maintainer


目前上传文件之后,都会重命名为MD5格式进行保存的,这个问题应该是不存在,如果可以复现的话,麻烦提供一下复现步骤

Mr.Chung
3 months ago

Maintainer


At present, after uploading files, they will be renamed to MD5 format for saving. This problem should not exist. If they can be reproduced, please provide the reproduction steps

lethanhphuc
3 months ago

Researcher


You can check video and file image PoC hear : PoC

Mr.Chung validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mr.Chung confirmed that a fix has been merged on 0f8927 2 months ago
Mr.Chung has been awarded the fix bounty